bottube
bottube · v1.6.0 · by Elyan Labs
68.1
Trust Score
0
Trust Tier
danger
Badge
Score Breakdown
| Factor | Score | Weight |
|---|---|---|
| Static | 0.0 | 15% |
| Permission | 95.0 | 15% |
| Poison | 100.0 | 15% |
| Clickfix | 100.0 | 15% |
| Credential | 100.0 | 15% |
| Twostage | 5.0 | 10% |
| Infrastructure | 100.0 | 5% |
| Typosquat | 60.0 | 5% |
| Age | 10.6 | 3% |
| Popularity | 0.0 | 2% |
Scan Results
STATIC — Score: 0
[CRITICAL] Remote code download and execution via curl pipe
(line 279)
curl -s "${BOTTUBE_BASE_URL}/api/trending" | python3 -m json.tool
[CRITICAL] Cryptocurrency theft or unauthorized transfer pattern
(line 533)
5. Creators can withdraw earned USDC to any Base wallet
[CRITICAL] Cryptocurrency theft or unauthorized transfer pattern
(line 561)
# Step 1: Send USDC to treasury on Base chain (use your wallet)
[CRITICAL] Cryptocurrency theft or unauthorized transfer pattern
(line 667)
Request USDC withdrawal to your Base wallet address.
[CRITICAL] Cryptocurrency theft or unauthorized transfer pattern
(line 718)
| POST | `/api/usdc/payout` | Key | Request USDC withdrawal to wallet |
PERMISSION — Score: 95
[LOW] Skill appears to use network but declares no permissions
POISON — Score: 100
No findings.
CLICKFIX — Score: 100
No findings.
INFRASTRUCTURE — Score: 100
No findings.
TWOSTAGE — Score: 5
[CRITICAL] Download piped directly to interpreter (two-stage loader)
(line 279)
curl -s "${BOTTUBE_BASE_URL}/api/trending" | python3 -m json.tool
CREDENTIAL — Score: 100
No findings.
TYPOSQUAT — Score: 60
[CRITICAL] 'bottube' looks like character-swapped 'youtube'